SharePoint 2013 hybrid SSO: prevent Office 365 login page

sharepoint.stackexchange https://sharepoint.stackexchange.com//questions/93990

  •  10-12-2019
  •  | 
  •  

Question

We've configured a SharePoint 2013 two-way hybrid farm with ADFS 3.0. We want to achieve Single Sign-On (SSO), which is working, but not quite in a way that's ideal. Here's a scenario:

When a user accesses the on-premises farm they are redirected to our ADFS server and log in. When they then try to access their OneDrive (using the link in the top nav bar), which is hosted in our Office 365 environment, they are presented with the Office 365 login page. When they enter their user name they are immediately redirected to our ADFS and login happens. So in a way we've got Single Sign-on working, as users don't have to provide their password a second time. But it still requires users to enter their username in that Office 365 login page. Is there a way to prevent that intermediate Office 365 login page, so the switch between the two environments is seemless?

Was it helpful?

Solution

Unfortunately due to the 'home-realm discovery' set of challenges, there's no way Office 365 can know where your users come from in order to be able to transparently redirect them to your ADFS server for their logon token. This is because they cannot guarantee that the intention is to specifically logon with only the organisational account bound to the tenant requested. Because of this assumption not being made by O365, the user needs to say who they are (email address) to discover the home realm of the user (identity provider) to request an aith token.

Unless Office 365 brings a setting that allows only a single set of identities (one home realm) to auth with one tenant/URL, there will always be this additional hoop for users.

Edit 2017-09-27: it's now possible to configure your Office 365 SPO instance to force sign-on for a particular domain name, thus automatically redirecting to AD FS and gaining you SSO without the HRD. However, unless you have a solution at your AD FS/IdP for redirecting Guest users, you won't be able to use External Sharing in SharePoint Online.

See Enable or disable auto acceleration on the Office support site.

OTHER TIPS

The process to create a smart link is described on the Microsoft web site.

http://community.office365.com/en-us/w/sso/358.using-smart-links-or-idp-initiated-authentication-with-office-365.aspx

In a nutshell:

  1. Use a browser tool like Fiddler to sniff the URLs that happen when you visit https://portal.office365.com, outlook.office365.com, or the like.
  2. Tweak the URL to remove unnecessary query string parameters.
  3. Create a stub web site in IIS or some other web hosting platform.
  4. Create a 302 redirect to the URL you created above.
Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top